F5 AWAF Policy learning phase opinion
Hello, Hope you are doing well! I am new to f5 AWAF and am wondering on what is the recommended way to protect and app published on the internet, afaik in the learning phase with transparent mode or blocking mode with staging enabled the attack won't be blocked. Since testing the app locally is not always an option, Is it optimal to set the policy into blocking mode/Enforce/disable learn only for the high attack signatures, at the same time i put other entities into staging (Cookies, URL, parameters, ...) with automatic policy building for learning ? What do you think ? at least i will be sure the high attack won't pass to the app. Thanks. Regards! Amine
Attack signature relaxation at JSON profile level rather than whole policy level on F5 v17.x
there is one false positive attack signature I want to relax on the F5 policy. the attack says onload(parameter) and I dont want it to relax it at the whole policy level under policy attack signature disable. but I don't know how to relax it at the json profile level. I can see the option attack signature available at the json profile level but not sure how to relax it as compared to relaxing at the whole policy level. please help !
ASM - Enforcement Readiness - Export from one ASM to another
We have an ASM in our Production Environment which we have security policies in Learning mode. There are Attack Signatures 'Ready to be Enforced' - We use our Prod Environment to learn (Real traffic hitting our VIPs) then take the learned attributes and build our policies in our QA ASM. Then we test our policies in QA before rolling them back out into Production. Question- In one case, I have 180 Attack Signatures 'Ready to be Enforced' in Prod. Is it possible to export or copy the 'Ready to be Enforced' Attack Signatures out of our Production ASM and import into our QA ASM? Such that once done, all the 'Ready to be Enforced' Attack Signatures that were in Production ASM now show up on our QA ASM? Thank you